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Abstract 



We develop a framework for solving polynomial equations with size constraints on solutions. 
We obtain our results by showing how to apply a technique of Coppersmith for finding small 
solutions of polynomial equations modulo integers to analogous problems over polynomial rings, 
number fields, and function fields. This gives us a unified view of several problems arising 
naturally in cryptography, coding theory, and the study of lattices. We give (1) a polynomial- 
time algorithm for finding small solutions of polynomial equations modulo ideals over algebraic 
number fields, (2) a faster variant of the Guruswami-Sudan algorithm for list decoding of Reed- 
Solomon codes, and (3) an algorithm for list decoding of algebraic-geometric codes that handles 
both single-point and multi-point codes. Coppersmith's algorithm uses lattice basis reduction to 
find a short vector in a carefully constructed lattice; powerful analogies from algebraic number 
theory allow us to identify the appropriate analogue of a lattice in each application and provide 
efficient algorithms to find a suitably short vector, thus allowing us to give completely parallel 
proofs of the above theorems. 

1 Introduction 

Many important problems in areas ranging from cryptanalysis to coding theory amount to solving 
polynomial equations with side constraints or partial information about the solutions. 

One of the most important cases is solving equations given size bounds on the solutions. 
Coppersmith's algorithm is a celebrated technique for finding small solutions to polynomial equations 
modulo integers, and it has many important applications in cryptography, particularly in the 
cryptanalysis of RSA. 

In this paper, we show how the ideas of Coppersmith's theorem can be extended to a more general 
framework encompassing the original number-theoretic problem, list decoding of Reed-Solomon and 
algebraic-geometric codes, and the problem of finding solutions to polynomial equations modulo 
ideals in rings of algebraic integers. These seemingly different problems are all perfectly analogous 
when viewed from the perspective of algebraic number theory. 

Coppersmith's algorithm provides a key example of the power of lattice basis reduction. In order 
to extend the method beyond the integers, we illuminate the analogous structures for polynomial 
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rings, number fields, and function fields. Ideals over number fields have a natural embedding into a 
lattice, and thus we can find a short vector simply by applying the LLL algorithm to this canonical 
embedding. In contrast to integer lattices, it turns out that lattice basis reduction is much easier 
over a lattice of polynomials, and in fact a shortest vector can always be found in polynomial time. 
Recasting the list decoding problem in this framework allows us to take advantage of very efficient 
reduction algorithms and thus achieve the fastest known list decoding algorithm for Reed-Solomon 
codes. 

Extending this approach to function fields involves numerous technical difficulties. In addition, 
we prove a much more general result about finding short vectors under arbitrary non- Archimedean 
norms, which may have further applications beyond list decoding of algebraic-geometric codes. As 
an illustration of the generality of our approach, we give the first list decoding algorithm that works 
for all algebraic-geometric codes, not just those defined using a single-point divisor. 

In the remainder of the introduction, we set up our framework with a brief review of Coppersmith's 
theorem, and then state our theorems on polynomial rings, number fields, and function fields. 



1.1 Coppersmith's theorem 

The following extension of Coppersmith's theorem |10| was developed by Howgrave-Graham |22j 
and May [53] . 

Theorem 1.1 ( \10\ 122 } 134 ) ). Let f{x) be a monic polynomial of degree d with coefficients modulo 
an integer N > 1, and suppose < j3 < 1. In time polynomial in log N and d, one can find all 
integers w such that 

\w\ < N? 2 l d 

and 

g cd(/H,iv)>ivf 

Note that when {3 = 1, this amounts to finding all sufficiently small solutions of f(w) = 
(mod N), and the general theorem amounts to solving f(w) = (mod B), where B is a large factor 
of N. 

We give a brief example to illustrate the power of this theorem in cryptography [10J|22]. Imagine 
that an adversary has obtained through a side-channel attack some knowledge about one of the 
prime factors p of an RSA modulus N = pq, for example the high-order half of its bits. We denote 
this known quantity by r. Then we may write p = r + w where < w < A 1 / 4+ °^ 1 ^ (we assume, as 
is typical, that p and q are both jV 1 / 2 ^ 1 )). Now let f(x) = x + r and f3 = 1/2 + o(l). Theorem 1.1 
tells us that we can in polynomial time learn w, and hence p, thereby factoring N. 

Further applications of this theorem in cryptography include other partial key recovery attacks 
against RSA [3 [5], attacks on stereotyped messages and improper padding [10] . and the proof of 
security for the RSA-OAEP+ padding scheme [UJ. See [35] for many other applications. 

It is remarkable that Theorem |1.1| allows us to solve polynomial equations modulo N without 
knowing the factorization of N, and this fact is critical for the cryptanalytic applications. However, 



even if one already has the factorization, Theorem 1.1 remains nontrivial if N has many prime 
factors. 

To solve an equation modulo a composite number, one generally solves the equation modulo each 
prime power factor of the modulus and uses the Chinese remainder theorem to construct solutions 
for the original modulus. (Recall that modulo a prime, such equations can be solved in polynomial 
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time, and we can use Hensel's lemma to lift the solutions to prime power moduli.) The number of 
possible solutions can be exponential in the number of prime factors, in which case it is infeasible 
to enumerate all of the roots and then select those that are within the desired range. In fact, the 
problem of determining whether there is a root in an arbitrary given interval is NP-complete [32] . Of 
course, if N has only two prime factors, there can be only d 2 solutions modulo N, but our methods 
are incapable of distinguishing between numbers with two or many prime factors. 

It is not even obvious that the number of roots modulo N of size at most N l l d is polynomially 
bounded. From this perspective, the exponent 1/d is optimal without further assumptions, because 
f(x) = x d will have exponentially many roots modulo N = k d of absolute value at most N l ^ d+£ 
(specifically, the 2N £ such multiples of k). Theorem |1.1| can be seen as a constructive bound on the 
number of solutions. See for further discussion of this argument and |25| for non-constructive 
bounds. 



1.2 A polynomial analogue 

To introduce our analogies, we will begin with the simplest and most familiar case: polynomials. 

There is an important analogy in number theory between the ring Z of integers and the ring 
F[z] of univariate polynomials over a field F. To formulate the analogue of Coppersmith's theorem, 
one just needs to recognize that the degree of a polynomial is the appropriate measure of its 
size. Thus, the polynomial version of Coppersmith's theorem should involve finding low-degree 
solutions of polynomial equations over F[z] modulo a polynomial p{z). That is, given a polynomial 
f( x ) = Yli=o fi( z ) xl w ith coefficients fi(z) G F[z], we seek low-degree polynomials w(z) G F\z] such 
that f{w{z)) = (mod p(z)). 

In the following theorem, we assume that we can efficiently represent and manipulate elements 
of F, and that we can find roots in F[z] of polynomials over F[z]. For example, that holds if we 
can factor bivariate polynomials over F in polynomial time. This assumption holds for many fields, 
including Q and even number fields [27] as well as all finite fields [18] (with a randomized algorithm 
in the latter case). 

Theorem 1.2. Let f(x) be a monic polynomial in x of degree d over F[z] with coefficients modulo 
p(z), where deg z p(z) = n > 0. In polynomial time, for < P < 1, one can find all w{z) G F[z] 
such that 

deg z w(z) < (3 2 n/d 

and 

<ieg z gcd(f(w{z)),p(z)) > f3n. 
In the case when p{z) factors completely into linear factors, this theorem is equivalent to the 



influential Guruswami-Sudan theorem on list decoding of Reed-Solomon codes [21]. See Section 4.2 



for the details of the equivalence. The above statement of Theorem 1.2 as well as the extension to 
higher-degree irreducible factors, appear to be new. 

It has long been recognized that the Coppersmith and Guruswami-Sudan theorems are in 
some way analogous, although we are unaware of any previous, comparably explicit statement of 
the analogy. Boneh used Coppersmith's theorem in work on Chinese remainder theorem codes 
inspired by the Guruswami-Sudan theorem [6], and in a brief aside in the middle of [3], Bernstein 
noted that Guruswami-Sudan is the polynomial analogue of a related theorem of Coppersmith, 
Howgrave-Graham, and Nagaraj [12J. See also [20J for a general ideal-theoretic setting for coding 



theory, and jl3j for a survey of relationships between list decoding and number-theoretic codes. 



3 



1.3 Number fields 



A number field is a finite extension of the field Q of rational numbers. Thus it is natural to investigate 
how a statement over the rationals, the simplest number field, extends to more general number 
fields. We extend our analogy by adapting Coppersmith's theorem to the number field case. 
Every number field K is of the form 

K = Q(q) = {a + ma H h a n -\a n ~ x : a , . . . , a n _i G Q}, 

where a is an algebraic number of degree n (i.e., a root of an irreducible polynomial of degree n over 
Q). The degree of K is defined to be n. Within K, there is a ring Ok called the ring of algebraic 
integers in K. It plays the same role within the field K as the ring Z of integers plays within Q. 
Sometimes Ok is of the form Z[a], but sometimes it is more subtle. 

Recall that an ideal in a ring is a non-empty subset closed under addition and under multiplication 
by arbitrary elements of the ring. (Intuitively, it is a subset modulo which one can reduce elements 
of the ring.) For example, the multiples of any fixed element form an ideal, called a principal ideal. 
In Z every ideal is of that form, but that is not usually true in Ok- 

In Ok, we study the solutions of polynomial equations modulo ideals, the analogue of such 
equations modulo integers in Z. To measure the size of a nonzero ideal / in Ok, we will use its 
norm N(I) = \Ok/I\, i-e., the size of the quotient ring. 

A final conceptual issue that makes this case more subtle is that a number field of degree n has 
n absolute values | • \i corresponding to its n embeddings into C (as we will explain in Section [5]), 
and to obtain the theorem it is necessary to bound them all simultaneously. 

The number field analogue of Coppersmith's theorem is as follows: 

Theorem 1.3. Let K be a number field of degree n with ring of integers Ok, f(x) £ Ok[%] ol monic 
polynomial of degree d, and I C Ok an ideal in Ok- Assume that we are given Ok and I explicitly 
by integral bases. For < (3 < 1 and Ai, . . . , X n > 0, in time polynomial in the input length and 
exponential in n 2 we can find all w G Ok with \ w\i < Aj such that 

N(gcd(f(w)0 K ,I)) >N{I)P, 

provided that 

Hx^Nilf^. 

i 

Furthermore, in polynomial time we can find all such w provided that 

HXi < (2 + o(l))- n2/2 N(I) l32 / d . 

i 

Equivalently, we can find small solutions of equations f{x) = (mod J), where the ideal J is 
a large divisor of /. Using improved lattice basis reduction algorithms [2] we can achieve slightly 
subexponential behavior in n 2 . Note also that gcd( f{w)OK , I) is the largest ideal that contains 
both the principal ideal f{w)OK and /; in other words, it is their sum f(w)OK + 1- 

When n is fixed, our algorithm runs in polynomial time, but the dependence on n is exponential. 
That appears to be unavoidable using our techniques, but it is not a serious drawback. Many 
number-theoretic algorithms behave poorly for high-degree number fields, and most computations 
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are therefore done in low-degree cases. Even for a fixed number field K, Theorem 1.3 remains of 
interest. 

Several problems over number fields have been proposed as the basis for cryptosystems; see, 
for example, [8] for a survey of problems over quadratic number fields. More recently, Peikert and 
Rosen [37] and Lyubashevsky, Peikert, Regev [31] developed lattice-based cryptographic schemes 
using lattices representing the canonical embeddings of ideals in number fields. As a special case, 



Theorem 1.3 can be used to solve certain cases of the bounded-distance decoding problem for such 



lattices, and improving our approximation factor from (2 + o(l)) n / 2 to 2 "y^Axj, where Ak is 



the discriminant of K, would solve the problem in general; see Section 5.3 for more details. 

In addition, number fields have many applications to purely classical problems, the most 
prominent example being the number field sieve factoring algorithm. All sieve algorithms require 
generating smooth numbers, and in this context Boneh [6j showed how to use Coppersmith's theorem 
to find smooth integer solutions of polynomials in short intervals. Using Theorem |1.3| analogously, 
one can do the same over number fields. 

We prove Theorem 1.3 in Section [5] 



1.4 Function fields 

Algebraic number theorists have developed a more sophisticated version of the analogy between the 
integers and polynomial rings. A global field is a finite extension of either the field Q of rational 
numbers (called a number field, as we have seen) or the field of rational functions on an algebraic 
curve over a finite field, called function fields (of curves, as opposed to higher-dimensional varieties). 
The parallels between number fields and function fields are truly astonishing, and this analogy has 
played a crucial role in the development of number theory over the last century. 

We now complete the analogy by extending Coppersmith's theorem to the function field case. 
See Section [6] for a more thorough review of the setting and notation. 

Theorem 1.4. Let X be a smooth, projective, absolutely irreducible algebraic curve over¥ q , and let 
K be its function field over ¥ q . Let D be a divisor on X whose support supp(D) is contained in the 
¥ q -rational points X(¥ q ), let S be a subset of Xi¥ q ) that properly contains supp(-D), let Os denote 
the subring of K consisting of functions with poles only in S, and let C(D) be the Riemann-Roch 
space 

C(D) = {0}U{f eK* :(f)+DhO}. 

Let f{x) £ Os [x] be a monic polynomial of degree d, and let L be a proper ideal in Os- 
Then in probabilistic polynomial time, we can find all w £ £-{D) such that 

N(gcd{f(w)O s J))>N(Lf, 

provided that 



,deg(D) 



< N(lf l d . 



In the case when S contains only a single point, the function field version of Coppersmith's 
theorem is equivalent to the Guruswami-Sudan theorem on list-decoding of algebraic-geometric codes, 
as we will outline in Sectional The Guruswami-Sudan theorem and the earlier Shokrollahi-Wasserman 
theorem in [ID] are specialized to that case, which covers many but not all algebraic-geometric codes. 
Our theorem extends list decoding to the full range of such codes. 
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We assume that we can efficiently compute bases of Riemann-Roch spaces for divisors in X . 
That can be done in many important cases (for example, for a smooth plane curve, or even one 
with ordinary multiple points |23j). and it is a reasonable assumption because even the encoding 
problem for algebraic-geometric codes requires a basis of a Riemann-Roch space. Note also that 
although our algorithm is probabilistic, it is guaranteed to give the correct solution in expected 
polynomial time; in other words, it is a "Las Vegas" algorithm. 

We prove Theorem 1.4 in Section [6| 



1.5 Analogies in number theory 

The connections we have described are not isolated phenomena. Many theorems in number theory 
and algebraic geometry have parallel versions for the integers and for polynomial rings, or more 
generally for number fields and function fields, and translating statements or techniques between 
these settings can lead to valuable insights. 

One particular advantage of this sort of arbitrage is that proving results for polynomial rings is 
usually easier. For example, the prime number theorem for Z is a deep theorem, but the analogue 
for the polynomial ring ¥ q [z] over a finite field is much simpler. It says that asymptotically a 1/n 
fraction of the q n monic polynomials of degree n are irreducible, and in fact the error term is on the 
order of q n l 2 (see Lemma 14.38 in |17j). Proving a similarly strong version of the prime number 
theorem for Z would amount to proving the Riemann hypothesis. Similarly, the ABC conjecture for 
Z is a profound unsolved problem, while for polynomials rings it has an elementary proof |33j. 

Thus, polynomial rings are worlds in which many of the fondest dreams of mathematicians have 
come true. If a result cannot be proved in such a setting, then it is probably not even worth trying 
to prove it in Z. If it can be proved for polynomial rings, then the techniques may not apply to the 
integers, but they often provide inspiration for how a proof might work if technical obstacles can be 
overcome. 

Similarly, in computer science many computational problems that appear to be hard for integers 
are tractable for polynomials. For example, factoring polynomials can be done in polynomial time 
for many fields, while for the integers the problem seems to be hard. The polynomial analogue of 
the shortest vector problem for lattices can be solved exactly in polynomial time [16] ; while for 
integer lattices the problem is NP-hard pQ . This difference in the difficulty of lattice problems is at 



the root of the poor running time in Theorem 1.3 for number fields of high degree. 



2 Preliminaries 

One of the main steps in Coppersmith's theorem uses lattice basis reduction to find a short vector 
in a lattice. In this section, we will review preliminaries on integral lattices, and introduce the 
analogues that we will use in our generalizations. 



2.1 Integer lattices 

Recall that a lattice is a discrete subgroup of M m of rank m. Equivalently, it is the set of integer 
linear combinations of a basis of M. m . 

The determinant det(L) of a lattice L is the absolute value of the determinant of any basis 
matrix; it is not difficult to show that it is independent of the choice of basis. One way to see 
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why is that the determinant is the volume of the quotient W 11 /L, or equivalently the volume of a 
fundamental parallelotope. 

One of the fundamental problems in lattice theory is finding short vectors in lattices, with 
respect to the £ p norm 

/ m \ 1 /P 



\i=l / 

Most often we use the li norm, which is of course the usual Euclidean distance. The LLL lattice 
basis reduction algorithm [29j can be used to find a short vector in a lattice. 

Theorem 2.1 (J2H])- Given a basis of a lattice L in R m ; a nonzero vector v G L satisfying 

\v\ 2 < 2( m ~ 1 )/ 4 det(L) 1 / m 

can be found in polynomial time. 
2.2 Polynomial lattices 

A lattice is a module over the ring Z of integers. In other words, not only is it an abelian group 
under addition, but we can also multiply lattice vectors by integers and thus take arbitrary integer 
combinations of them. More generally, a module for a ring R is an abelian group in which we can 
multiply by elements of R (in a way that satisfies the associative and distributive laws). In other 
words, an i?-module is exactly like an i?-vector space, except that R is not required to be a field, as 
it is in the definition of a vector space. 

The module R m with componentwise scalar multiplication is called a free i?-module of rank m. 
Every lattice is a free Z-module, and free i?-modules will be the analogous structure for the ring R. 

For example, if R is the polynomial ring F[z] over a field F, then we define a polynomial lattice 
to be a free module over F[z] of finite rank. A polynomial lattice will usually be generated by a 
basis of vectors whose coefficients are polynomials in z. Vectors in our polynomial lattice will be 
linear combinations of the basis vectors (where the coefficients are also polynomials in z). 

As we will see later, an appropriate definition of the length (i.e., degree) of such a lattice vector 
is the maximum degree of its coordinates: 

deg z (vi(z),v 2 (z), . . . ,v m (z)) = maxdeg 2 Vi(z). (2.1) 

i 

This defines a non-Archimedean norm. In fact, for lattices with a norm defined as above, it is 
possible to find the exact shortest vector in polynomial time (see, for example, |16j). 

Lattices of polynomials have been well studied because of their applications to the study of linear 
systems There are several notions of basis reduction for such lattices. A basis is column-reduced 
(or, as appropriate, row-reduced) if the degree of the determinant of the lattice (i.e., of a basis matrix) 
is equal to the sum of the degrees of its basis vectors. Such bases always contain a minimal vector 
for the lattice, and m-dimensional column reduction can be carried out in m UJ+ °^D field operations 
|19j . where oj is the exponent of matrix multiplication and D is the greatest degree occurring in the 
original basis of the lattice. 



In particular, for an m-dimensional lattice L with the norm (2.1), the above algorithms are 
guaranteed to find a nonzero vector v for which 

degv < — degdetL, 
m 

where det L denotes the determinant of a lattice basis. 
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2.3 Finding short vectors under general non-Archimedean norms 



The above algorithms are specialized to norms defined by (2.1 ), but there are other non- Archimedean 
norms, and we will need to use them in the proof of Theorem |1.4| in the function field setting. In fact, 
for all non- Archimedean norms, it is possible to find a short vector in a lattice simply by solving a 
system of linear equations. Solving such a system may be less efficient than a specialized algorithm, 
but it allows us to give a general approach that will work in polynomial time for any norm. 
Let R = F[z] be a polynomial ring over a field F, and for r G R define 

\r\ = C de&z ^ 

for some arbitrary constant C > 1; we take |0| =0 as a special case. Note that \z\ = c, and thus we 
can write \r\ = |z| degz ( r ). 

Suppose we have any norm | • | on R m that satisfies the following three properties: 

1. For all v G R m , \v\ > 0, and \v\ = if and only if v = 0. 

2. For all v, w G R m , \v + w\ < max(|v|, \w\). 

3. For all v G R m and r £ R, \rv\ = \r\\v\. 
Note that taking 

\{ Vl (z),v 2 {z),...,v m (z)\ = C^^i^S z Vi{z) 

defines such a norm, but the extra generality will prove useful in Section [6j 

Let M C R m be a submodule of rank m (so the quotient F- vector space R m /M is finite- 
dimensional), and let d = d\mp{R m /M). 

Lemma 2.2. For any R-basis b\, . . . , b m of R m , there exists a nonzero vector v G M such that 

\v\ < Vl&il---IMM d/m 

Proof. We will construct a nonzero vector satisfying \v\ < q c for some constant c to be determined, 
and then we will optimize the choice of c. Let \bi\ = \z\ ni , and consider the space of polynomials 



V = / ribi : Ti G R and deg 2 < c — rtj ^ . 

Every v G V satisfies \v\ < \z\ c , and V is an i^-vector space. To compute its dimension, note 
that Ti is determined by [c — njj + 1 > c — n» coefficients. Because &i, . . . , b m is an i?-basis, 
dimp V > mc — Yli n i- 

If we take c = (d + ^ i nA /m, then dim^ V > d. Thus, there exists a nonzero element v of V 
that maps to zero in the cf-dimensional quotient space R m /M and hence lies in M. It satisfies 

M <q C = y\b 1 \...\b m \\z\ d/m , 
as desired. □ 



Lemma 2.3. Under the hypothesis of Lemma 2.2, a vector satisfying \v\ < y|6i| • • • \b m \ \z\ d l 



can be found in polynomial time (given an R-basis of M). 
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Proof. In the notation of the proof of Lemma 2.2 we will show that we can find small coefficients 



n, • • • , r m G R (not all zero) such that Yli ribi is in M. Suppose wi, . . . , w m is an i?-basis of M. 
Then the elements of M are those that can be written as s i w i with Sj 6 R. Given a polynomial 
bound for the degrees of si, . . . , s m , we could determine the coefficients ri and Sj by solving linear 
equations over F for their coefficients. To specify these equations, we write w\, . . . ,w m as i?-linear 
combinations of bi, ... , b m . Define the matrix W over R by Wj = Wijbi for each j. Then 

r i b i = Yl « 
« 3 

amounts to r = Ws, where s and r are the column vectors with entries st and r*, respectively. 
Thus, s determines r in a simple way, and all we need is to choose si,...,s m so that the 



relationship r = Ws implies deg 2 V{ < c—rii, with c and n« defined as in the proof of Lemma 2.2 It 
is not difficult to bound the degrees of the polynomials Si as follows. Let W be the adjoint matrix 
of W (so WW = det(W)i). Then 

Wr = det(W)s. 

It follows that for each i, 

deg z det(W) + deg z Si < max ( deg^ Wij + deg z . 

However, the entries Wij of W have degree bounded by m — 1 times the maximum degree of an entry 
of W (because they are given by determinants of (m — 1) x (m — 1) submatrices of W). Thus, deg z Sj 
is polynomially bounded, and we can locate a suitable vector v by solving a system of polynomially 
many linear equations over F. □ 

Note that for a rank m submodule M of R m , the degree of the determinant of a basis matrix B 



for M is the dimension of the quotient R m /M. Thus, in Lemma 2.2, if = • • • = \b m \ = 1, then 
the norm of a minimal vector is bounded by | det(-B)| 1 / m . The exponential approximation factor 
that occurs in LLL lattice basis reduction does not occur here. 



3 Coppersmith's theorem 

We now review how Coppersmith's method works over the integers, as this provides a template for 
the techniques we will apply later. We will follow the exposition of May |35j. 

Let f(x) be a monic univariate polynomial of degree d, and iV an integer of potentially unknown 
factorization. We wish to find all small integers w such that gcd(f(w),N) is large. 

To do so, we will choose some positive integer k (to be determined later) and look at integer 
combinations of the polynomials x 3 f \x) 1 N k ~ l . If B divides both N and f(w), then B k will divide 
w 3 f(w) l N k ~ l and thus also any linear combination of such polynomials. 

Let 

Q(x) =Y j a i ,jX 3 f{x) i N k - i = Y^ l > 

i,j i 

for some coefficients ctj and qi to be determined. We will choose Q so that the small solutions to 
our original congruence become actual solutions of Q(x) = in the integers. This will allow us to 
find w by factoring Q(x) over the rationals. The construction of Q tells us that 

Q(w) = (mod B k ). (3.1) 
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If in addition we have a lower bound N 13 on the size of B, and we can show that 

\Q(w)\ < N pk < B k , (3.2) 

then Q(w) = and we may find w by factoring Q. In fact, this observation tells us that we can find 
all such w in this way. A similar observation will appear in all of our proofs. 

In the case of the integers, we introduce the bound \w\ < X on our roots, and the triangle 
inequality tells us that 

\Q(w)\ < J>i|X'. (3.3) 

i 

To finish the theorem, we will show that we can choose Q so that its coefficients qi satisfy 

h\ xi < Nf3k - (3-4) 

i 

We are now ready to prove Coppersmith's theorem for the integers. 

Proof of Theorem \l.l\ Having outlined the general technique above, it remains to be shown that 
we can construct a polynomial Q(x) whose coefficients satisfy the bound in (3.4). 
The polynomial Q(x) will be a linear combination of the polynomials 

x j f(x) i N k ~ i for < i < k and < j < d 

and 

x j f(x) k for < j < t. 



The right-hand side of (3.3) is the l\ norm of the vector of coefficients of the polynomial Q(xX), 
which in turn will be a linear combination of the polynomials (xXy f (xX) 1 N k ~ l . Finding our 
desired Q(x) is thus equivalent to finding a suitably short vector in the lattice L spanned by the 
coefficient vectors of the polynomials (xX)^ f (xX) 1 N k ~ l . 

To compute the determinant of this lattice, we can order the basis vectors by the degrees of the 
polynomials they represent to obtain an upper triangular matrix whose determinant is the product 
of the terms on the diagonal: 

det(L) = X 1 Y[ Ndj = X idk+t ^ dk+t)/2 N dk(k+1)/2 . 

0<i<dk+t 0<j<k 

Set m = dk + t. We can use the LLL algorithm [29] to find a vector v whose £2 norm is bounded 

by 

\v\ 2 < 2( m ~ 1 )/ 4 det(L) 1 / m . 
By Cauchy-Schwarz, \v\\ < \/rn\v\2, and hence for any \w\ < X, 

\Q(w)\ < v / ^2( m ^ 1 )/ 4 det(L) 1 / m . 

We assume m > 7, and use the weaker bound 

\Q(w)\ < 2(™- 1 )/ 2 det(L) 1 / m . 
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To prove inequality (3.2), we must show that 



\Q(w)\ < 2 (m ~ 1)/2 ^x m(m_1)/2 iV* (fc+1)/2 ^ 1/m < N@ k . 
This inequality is equivalent to 

(2X) (m_1)/(2/c) A^ (fc+1)/(2m) < TV 9 . (3.5) 
Applying Lemma 3.1 below with £ = log2X and n = logiV, we obtain parameters k and t such 

2X < N p2 ' d - £ . 



that (3.5) holds for 



To eliminate e from the statement of the theorem, take e < 



Then our bound becomes 



X < ±A^ 2 / d . We can divide the interval [— N^ 2 / d , N^ 2 / d ] into four intervals of width IX and solve 
the problem for each interval by finding solutions for the polynomials f(x — 3X), f(x — X), f(x + X), 
and f(x + 3X). Thus, we achieve a bound of X < N@ / d , as desired. □ 



We end with a brief lemma that will tell us how to optimize our parameters in equation (|3.5|). 

m— 1 



Lemma 3.1 

and k 



§m 
d 



The inequality <, 2k 
- 1 



^W' + n( ^m < n P ^ S sa ti s fi e d f or & < n {^j ~ e ) > an y 171 — 



As intuition, note that if we set the two terms i^t^T anc ^ n d^~ roughly equal to ^r, then we 



2m 



2 ' 



have £m 2 ~ ndk 2 ~ n(3mk and hence t ~ nf3 2 /d. The proof amounts to making this precise. 



Proof. It suffices to show that these values of m and satisfy n 



m—l 
2k 



< 



f and nd^ < 



The first inequality is equivalent to > f — §■ Similarly, the second is equivalent to 



n/3 
2 • 



fim 



then 



fc+i 



If we set k = 
m> ~, then 

equivalent to the first inequality. 



£ -f > 2 and hence k > $f 



< 4. so the second inequality is satisfied. If in addition we take 



2 > 



§m 



^. It follows that k^j 

p m— 1 



> 



/3 m 



, which is 

□ 



It is also worth noting that improving the approximation factor for the length of the short lattice 
vector that we find will only improve the constants and running time of the theorem, but will not 
provide an asymptotic improvement to the bound N@ l d on 



4 Polynomials and Reed-Solomon list decoding 



In this section, we prove Theorem 1 1 . 2 1 using an approach analogous to that of the previous section. 
Guruswami and Sudan's technique for list decoding of Reed-Solomon codes |21j is similar in that it 
involves constructing a bivariate polynomial that vanishes to high degree at particular points. To 
construct such a polynomial, they write each vanishing condition as a set of linear equations on the 
coefficients of the polynomial under construction. The linear equations can be solved to obtain the 
desired polynomial, and the polynomial factored to obtain its roots. 

Similarly, the polynomials used in Coppersmith's method are constructed in order to vanish 



to high degree, the condition ensured by equation (3.1). The conceptual difference is that this 
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condition follows from the form of the lattice basis, rather than being imposed as linear constraints. 
With the right definition of lattice basis reduction in the polynomial setting, we can emulate the 
proof from the integer case. 

We regard f(x) as a polynomial in x with coefficients that are polynomials in the variable z. To 
prove Theorem 1.2 we would like to construct a polynomial Q(x) over F[z] from the polynomials 
xi f{x) l p(z) k ~ l . If b(z) divides both p(z) and f(w(z)), then b(z) k divides w(z)i f(w(z)) l p(z) k ~ l and 
thus also any linear combination of such polynomials. 

Instead of an integer combination of these polynomials, we will allow coefficients that are 
polynomials in z. Let 



Q(x) =Y j ai >j {z)xif(x) i p{z) k - i =5>(*K. 



hi * 
If we have an upper bound I on the degree of our root w(z), then the degree of Q(w(z)) will be 

deg z Q(w(z)) < max (deg z qi(z) + ti). 

i 

If similarly we have a lower bound nf3 on the degree of b(z), then if we know that both 

Q(w(z)) = (mod b{z) k ) 

and 

deg z Q(w(z)) < n/3k < kdeg z b(z), (4.1) 

then we may conclude that 

Q(w(z)) = Q. 

4.1 Proof of Theorem 11.21 

We will show how finding a short vector in a lattice of polynomials will allow us to construct a 
polynomial Q(x) satisfying (4.1). 

Let I be the upper bound on the degree of the roots w(z) we would like to find. Using the same 
idea to bound the length of the vector as in the integer case, we will form a lattice of the coefficient 
vectors of 

(z e x) i f(Jx) i p(z) k ~ i for < j < d and < i < k 

and 

) j f{z £ x) k for < j < t. 

As always, we view them as polynomials in powers of x with coefficients that are polynomials in z. 
Let M be the -F[z]-module spanned by the coefficient vectors of these polynomials, with the degree 
of a vector defined by (2.1). 

The matrix of coefficient vectors of the basis is upper triangular, so its determinant is the product 
of the diagonal entries. Set m = kd + t. Hence 



deg det M = t ^ i + nd ^ 



m— 1 k 

I 

i=0 j=0 
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Since the dimension of our lattice is m, by Theorem |2.3| we can find a vector of degree at most 

1 ( n m(m— 1) ^k{k + l] 



m 



To prove (4.1), we would like this bound to be less than (3kn. By Lemma 3.1, we can achieve 
^ — e J . If we set e < ^ then this becomes I < E ^-, as desired, because (3 can be 
taken to have denominator n. 

Note that we cannot achieve degree equal to (3 2 n/d (as opposed to strict inequality): for the 
equation x d = (mod p(z) d ), there are infinitely many solutions x = cp(z) if F is infinite. 

4.2 Reed-Solomon list decoding and noisy polynomial interpolation 

A Reed-Solomon code is determined by evaluating a polynomial w(z) G ¥ q [z] of degree at most I at 
a collection of points (xi, . . . , x n ) to obtain a codeword (w(x\), . . . , w(x n )). In the Reed-Solomon 
decoding problem, we are provided with (yi, . . . ,y n ), where at most e values have changed, and 
we want to recover w(z) by finding a polynomial of degree at most £ that fits at least n — e points 
(xi, yi). Guruswami and Sudan [21] showed how to correct e < n — Vn£ errors by providing a list of 
all possible decodings. 

A related problem is that of noisy polynomial interpolation, where at each location Xi a set 
{yn, . . . , yid} of values is specified, and the goal is to find a low-degree polynomial passing through 
a point from each set. This problem has been proposed as a cryptographic primitive, for example 
by Naor and Pinkas [36J, and studied by Bleichenbacher and Nguyen [3]. 



We can use Theorem 1.2 to solve both problems, and in particular recover the exact decoding 



rates of Guruswami-Sudan. The input to our problem is a collection of points 

{(xi,yij) : 1 < i < n, 1 < j < d}. 
We set p{z) = Yli(z — xi), and we define a monic polynomial f(x) of degree d in x by 



d n 

z-x k 



/(^)=En^-^)n 



i=l j=l k=l 

We have constructed f(x) by interpolation so that f(x) = Y\j(% — Vij) (mod (z — Xi)). Thus, 
filJij) = whenever z = x; L . 

To correct e errors, we seek a polynomial w(z) of degree at most I such that for at least n — e 
values of i, there exists a j such that w(xi) = yij. In other words, f(w(z)) must be divisible by at 
least n — e factors z — Xi, which is equivalent to 

deg z gcd( f{w(z)),p(z)) > n - e. 



Theorem 1.2 tells us that we can solve this problem in polynomial time if I < n(l — e/n) 2 jd (since 
(3 = 1 — e/nin the notation of the theorem). That is equivalent to the Guruswami-Sudan bound 
e < n — V n£d. 
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4.3 Running time 



The Guruswami- Sudan algorithm consists of two parts: constructing the polynomial Q(x), and 
finding the roots of Q(x) in ¥ q [z\. In this paper, we do not address the second part, but we improve 
the running time of the first part, which has been the bottleneck in the algorithm. 

The time to construct Q is dominated by the lattice basis reduction step, which depends on m 
the dimension of the lattice and the maximum degree D of a coefficient polynomial. 



Lemma 3.1 tells us that we have m = 0(/3/e), where e has been defined so that £ = n(f3 /d — e), 
and we can assume D < nk, since we can reduce the coefficients of Q{x) modulo p(z) k , which has 
degree nk. The parameter k is set to 0(f3m/d). 

Emulating the analysis from [21J, when (/3n) 2 = (1 + 5)£n, we have 5 = en/l, 

m = 0({l + 8)/(5f3)), 

and 

D = 0(n(l + S)/(dS)). 



Using the fastest row reduction algorithm (see Section 2.2), the running time is 



0(Dm" +0 ^) =0{n/(5 UJ+1+0 ^)). 

In the worst case, we set e = l/(n 2 d), which gives m = 0(f3n 2 d), k = 0((/3n) 2 ), and D = 0(n 3 /3 2 ), 
so the total running time is 0(n 2w+3+ °^^d) field operations. With cubic-time matrix multiplication 
we achieve 0(n 9 d), and with fast matrix multiplication [13] we achieve 0(n 7 - 752+0 ^d) . 

The original Guruswami-Sudan approach [21] requires roughly 0(n 3 <5 -6 ) field operations, or 
0(n 15 ) in the worst case. (The second part of their algorithm runs in time 0(n 12 ), although there 
have been improvements since then [39] ■) The fastest previous algorithm proposed for this problem 
|44j apparently runs in worst case time 0(n 8 ) when d = 1, although its running time analysis is 
only heuristic (see the footnote on page 13 of [44]). 



5 Number fields 

5.1 Background on number fields 

See |28] for a beautiful introduction to computational algebraic number theory, or [9] for a more 
comprehensive treatment. 

Recall that number fields are finite extensions of the field Q of rational numbers. Each number 
field K is generated by some algebraic number a, and the elements of the number field are polynomials 
in a with rational coefficients. If the minimal polynomial p(x) of a (the lowest-degree polynomial 
over Q, not identically zero, for which a is a root) has degree n, then every element of K = Q(a) 
will be a polynomial in a of degree at most n — 1. In other words, 

Q(a) = {a + aia H h a n -ia n ~ l : a , . . . , a n _i € Q}. 

The degree of K is defined to be n. It is the dimension of K as a Q-vector space. 

The minimal polynomial p(x) must be irreducible over Q, and thus it has n distinct complex 
roots ai, . . . , a n (one of which is a). Not all of these roots will necessarily be in the field K = Q(a). 
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For example, the field Q(\/2) is contained in R and thus does not contain either of the complex 
roots of x s — 2. 

For each i from 1 to n, we can define an embedding a of K into C by mapping a to a, and 
extending by additivity and multiplicativity. All embeddings into C arise in this way. If p has r\ 
real roots and pairs of complex conjugate (non-real) roots, then there will be t\ real embeddings 
and 2r2 complex embeddings. 

The absolute values on K are defined by 

Mi = ki(7)l 

(where | • | on the right side is the familiar absolute value on C, and | • |, does not denote the 
norm). For each i, this valuation has all the usual properties of the absolute value on Q. These 
absolute values are not necessarily distinct, since they coincide for complex conjugate roots of p(x): 
if a.i = ay, then | -y | ^ = \ for all 7. Otherwise, the absolute values are all distinct. 

The ring of algebraic integers Ok in K consists of all the elements of K that are roots of monic 
polynomials over Z. It is the natural analogue of Z in K (note that Oq = Z). In simple cases, Ok 
may equal Z[a], but that is not always true. When K = Q(\/5), we have Ok = Z[(l + y/E)/2], and 
for some number fields the ring of integers cannot even be generated by a single element. 

The norm of an element 7 G K is defined as the product 

AT (7) = CJl ( 7 )... CTn ( 7 ) 

in C. (In fact, N(j) is rational for 7 G K, and it is integral for 7 G Ok-) If 7 G Ok and 7 7^ 0, 
then ^(7)1 = \OkIiOk\- More generally, for any nonzero ideal I in Ok, we define its norm N(I) 
to be \O k /I\. The norm is multiplicative; i.e., N(IJ) = N(I)N(J). 

The norm is a natural measure of size for both ideals and individual elements in Ok- It might be 
tempting to use the norm as our measure of the size of the roots of the polynomial in Theorem |1.3| 
However, that does not work, because Ok typically has infinitely many units (elements of norm 1). 
For example, the powers of (1 + \/5)/2 are units in Z[(l + V5)/2], which means the equation x 2 = 
(mod 4) has infinitely many solutions of norm at most N(A) 1 / 2 = N(2) = 4, namely the numbers 
2((1 + Vh)/2) k for k G Z. Thus, bounding the norm alone is insufficient even to guarantee that 
there will be only finitely many solutions, but bounding all the absolute values suffices. 

The ring Ok has an integral basis Lu%,...,oj n (i.e., a basis such that every element of Ok can 
be expressed uniquely in the form Y^,i a i^i with a% G Z). We assume we are given such a basis, 
because finding one is computationally difficult (see Theorem 4.4 in |28j). Any reasonably explicit 
description of Ok will yield an integral basis. Fortunately, such a description is known for many 
concrete examples of number fields, such as cyclotomic fields. Furthermore, if we are working with 
a fixed number field, finding an integral basis for Ok can be done with only a fixed amount of 
preprocessing. We also assume that ideals in Ok are given in terms of integral bases. It is not 
difficult to convert any other description of an ideal (such as generators over Ok) to an integral 
basis. 

If we do not know the full ring Ok of integers, we could nevertheless work with an order in K, i.e., 
a finite-index subring of Ok- Everything we need works just as well for orders, with one exception, 
namely that the norm is no longer multiplicative for ideals. Fortunately, it remains multiplicative for 
invertible ideals (see Proposition 4.6.8 in [9]), and Coppersmith's theorem generalizes to invertible 
ideals. Specifically, we can find small roots of polynomial equations modulo an invertible ideal /, or 
modulo any invertible ideal B that contains I and satisfies N(B) > N(I)P. 

Finally, polynomials over number fields can be factored in polynomial time [26J. 
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5.1.1 Modules and canonical embeddings 

The analogue of a lattice for Ok is a finitely generated O^-submodule of the r-dimensional K- vector 
space K r . Recall that an O^-submodule is a non-empty subset that is closed under addition and 
under multiplication by any element in Ok- 

Unlike the case of Z-lattices, 0/^-lattices may not have bases over Ok- However, an ©^--lattice 
A always has a pseudo-basis, i.e., a collection of vectors v\, . . . ,v s E A and ideals Ii,...,I s C Ok 
such that 

A = I\v\ H h I s v s . 

The key difference from Z is that the ideals may not be principal (i.e., they may not simply be the 
multiples of single elements of Ok)- 

A natural approach to finding a short vector in an 0jf -lattice would be to find an algorithm to 
reduce a pseudo-basis. Fieker and Pohst [Hj developed an Ox-analogue of the LLL lattice basis 
reduction algorithm, but they were unable to prove that their algorithm runs in polynomial time. 
More recently, Fieker and Stehle [TB] have given a polynomial-time algorithm to find a reduced 
pseudo-basis in an O^-module. Their algorithm runs in two parts. The first is to apply LLL to an 
embedding of the Ox-module as a Z-lattice to find a full-rank set of short module elements, and 
the second uses this collection of module elements to reduce the pseudo-basis. 

As our application only requires finding a short vector in the module, we do not need the second 
step of the Fieker-Stehle algorithm. The remainder of this section describes how to use LLL to find 
a short vector in an O^-lattice. 

Although O^-lattices are an algebraic analogue of Z-lattices, their geometry is not as easy to see 
directly from the definition. It might seem natural simply to use one of the absolute values to define 
the £2 norm for vectors, but that breaks the symmetry between them. Instead, it is important to 
treat each absolute value on an equal footing, and the canonical embedding (defined below) allows 
us to do so. 

We will describe the embedding in several steps. First, we embed Ok itself as an n-dimensional 
lattice in W 1 © C 2r2 by mapping 7 £ Ok to (0-1(7), ■ ■ • j °"n(7))- An integral basis oj±, . . . , u n of Ok 
is mapped to the rows of the matrix 

/<Jl(wi) <T2 (wi) ••• (T n {ui)\ 
1 \ 0-1(^2) '"• crnfa) 

\ax(u) n ) a 2 (uj n ) ■■■ cr n (uj n )J 

so Ok is mapped to the Z-linear combinations of the rows. 
The discriminant Ak of K is defined by 

Ak = det a{u)) 2 . 

It is an integer that measures the size of the ring of integers in K. 

The canonical embedding of the principal ideal generated by an element 7 is generated by the 
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rows of the matrix product 



/<7l(wi) 02 (wi) 

01 (w 2 ) 
\0i(o; n ) 02 (w n ) 



0n(^l)\ 
0n(w 2 ) 



02(7) 



((w n )y V 



0-n(7)/ 



More generally, suppose we have an ideal B generated by an integral basis b±, . . . , b n . Let Mb 
be the matrix defined by 



The canonical embedding of B is generated by the rows of 

(ai(bi) 02(61) ••• a n (bi)\ / 01(^1) 02(^1) 

01(62) '•• 0n(&2) 



a(b) 



\0i(6„) 02 (& n ) 



Tn(b n )J 



01 (w 2 ) 



02 K) 



0n(^l)\ 
0„(^ 2 ) 

0n(w„)/ 



Note that the absolute value of the determinant of 0(6) equals | det Mb | ^/\AK\, and | det Mb| = 
\O k /B\=N{B). 

Finally, we can easily extend the canonical embedding from Ok to O r K by embedding each of the 
r coordinates independently. Given a pseudo-basis ui, . . . , v r with corresponding ideals Ii,...,I r , 
the canonical embedding of the lattice is generated by the rows of the block matrix whose ij block 
of size n x n is equal to 



M h a(uj) 



M(%) 



V 



02(%) 



where u ^ is the j-th component of Vi . 

The inner product on W 1 © C 2r2 is given by the usual dot product on M and the Hermitian 
inner product on C (i.e., (x, y) = xy for x, y € C). Thus, it is positive definite. 

The canonical embedding's image lies within an n-dimensional real subspace, because the 
complex embeddings come in conjugate pairs. In fact, we can transform it into a simple real 
embedding. To do so, consider the r 2 pairs of complex embeddings. For each pair (0^(7), 0fc (7)) 
of complex embeddings that are conjugates of each other, we can map the pair (0^(7), 0/0(7)) to 
(\/2 Re(cjj (7)), V2 Im((Tj(7))). The reason for the factor of \pl is to ensure that the inner product is 
preserved. Furthermore, the absolute value of the determinant is preserved. 

Once we have a real embedding of our (^-lattice, we can apply the LLL algorithm to find a short 
vector in the real embedded lattice, which will correspond to a short vector in the original Ox-lattice. 
Unfortunately, using LLL in the canonical embedding does not preserve the O^-structure, so it does 
not produce a reduced pseudo-basis over Ok-, but a short vector is sufficient for our purposes here. 
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5.2 Proof of the theorem for number fields 



The following lemma is the analogue of the statement over the integers that a multiple of n that is 
strictly less than n in absolute value must be zero. 

Lemma 5.1. For a nonzero ideal I in Ok and an element 7 £ I, if \N{^f)\ < N(I) then 7 = 0. 

Proof. Consider the principal ideal ^Ok generated by a nonzero element 7 of /. The ideal / contains 
70 x , and thus \O k /I\ < \0 K /-yO K \. Because N(I) = \O k /I\ and |JV(7)| = \O k /jO k \, we have 
1^(7)1 > N(I), as desired. □ 



Proof of Theorem 1.3 As in the previous proofs, we will construct a polynomial Q{x) in the 
Oif-module generated by 

r/- '"' for < i < k and < j < d 



x>f(x) l I h 



and 



x j f(x) k for < j < t. 

Note that because of the ideals I k ~ l , this is really a pseudo-basis rather than a basis. 

Let m = dk + t. To represent this module, we will write down an nm x nm matrix whose rows 
are a Z-basis for a weighted version of the module's canonical embedding. Finding a short vector in 
this lattice will correspond to finding a Q that satisfies our bounds. 

Our lattice is constructed much as before, except that in place of a single entry for each coefficient 
of xi f(x) l I k ~ l , we will have an n x n block matrix. Let f s ij be the coefficient of x s in x J f{x) % . Then 

We incorporate the bounds Aj on 

by using 



we form the ideal f s ijl k l , which has an integral basis 61, 



each absolute value into our canonical embedding for the s-th coefficient of x^ f(x) l I k 

fXfaxih) A|<t 2 (6i) ••• \ s n a n (h)\ 

Af 0-1(62) '■• K a n(b2 



yAfoiOn) \ s 2 a 2 (b ri 



X s n a n (b n )J 



This is equal to the product of the matrix with Af , . . . , A* on the diagonal with the canonical 
embedding a(b), so the absolute value of the determinant of the block is 

A^.A^v^lA^OI^OO^ 

Now consider a vector v in this lattice and the polynomial Q(x) = qjX 3 that it represents. 
If \w\t < \i for all i, then we can bound \N(Q(w))\ using the i\ norm by applying the arithmetic 
mean-geometric mean inequality. We have 



MQM)i=n 



and hence 



|iV(QW)l 1/n < lY, 



( ij 
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Thus, 

\N(Q(w))\ < (-{vh 



As in the integer case, LLL produces a nonzero vector v whose l\ norm is bounded by 

$^5^Ni < V^2^ nm - 1 ^ 4 \det(M)\^. 
» 3 

Note that here, \vi\j denotes the j-th number field norm applied to the i-th entry of v. 

Now it remains to compute the determinant of our weighted canonical embedding. The lattice 
basis we produced in our construction is block upper triangular, so the determinant is the product 
of the blocks on the diagonal. Letting ]X \ = X, we get 

idetMi= n i xi vw^\) n ^w* 

0<i<m 0<j<k 

= y /\K K ~\ m x m( - m - 1)/2 N(i) dk{k+1)/2 . 

Thus, we have 

< y/^2^ m - 1 ^y/\K^\^ ^x m ( m - x )/ 2 iV(J)*( fc+1 V 2 ) 
Recall that if \w\i < \i for all i, then 

MQ(w))\ < ±\v\l 



1 
nm 



We will compute a c so that 

2 

(^ 2(nm_ 1)/4 ) n ^d) m "<c 



Then by the same analysis as in the proof of Theorem we can prove the theorem with a bound 
of 
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on the product Aj. A simple asymptotic analysis shows that we can take c = (2 + o(l)) n / 2 as 
m — t- oo. Thus, we achieve a bound of 

(2 + o(l))" n2/2 iV(/) /32/a! - £ . 

As before, we can take e = 1/ log N(I) to achieve in fact (2 + ofT))-™ 2 / 2 ^/)^. 

Note that so far, everything runs in polynomial time, with no exponential dependence on n. 
Unfortunately, removing the factor of (2 + o(l)) _n / 2 is computationally expensive. We can use 
the same trick as in Theorem In the canonical embedding of Ok, the region we would like to 
cover is a box of dimensions 2Ai x • • • x 2A n (the factor of 2 comes from including positive and 
negative signs). The proof so far shows that we can deal with a box that is a factor of (2 + o(l))~ n / 2 
smaller in each coordinate. We can cover the large box with (2 + o(l)) ra I 2 of the smaller ones and 
compute the solutions in each smaller box in polynomial time, but the total running time becomes 
exponential in n 2 . □ 
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5.3 Solving the closest vector problem in ideal lattices 

In [37] , Peikert and Rosen proposed using the closest vector problem for ideal lattices as a hard 
problem for use in constructing lattice-based cryptosystems. In [3 1 j , Lyubashevsky, Peikert, and 
Regev gave hardness reductions for such cryptosystems via the bounded-distance decoding problem, 
defined for the norm as follows. Given an ideal / in Ok, a distance 8, and an element y £ K, 
find y + w £ I such that 1 1 

^||oo ^ 8, where || • ||oo denotes the norm on K (i.e., the maximum of 

the n absolute values). 

If y 6 Ok, then we can define f(x) = x + y and find the roots w of f{x) = (mod /) satisfying 

IMloo < (2 + (i))-"/ 2 iv(/) 1 / n . 

This amounts to taking d = 1, ft = 1, and A x = • • • = X n = (2 + o(l))~ n / 2 N(I) l / n . Because we 
are using the loo norm, the minimal nonzero norm of / is at most (-^/| A/ < -|A r (/)) 1 ^ n . Thus, our 
algorithm can handle distances 5 less than (2 + o(l)) _ri//2 | A^l -1 ^ 2 ™) times the minimal norm of /. 
(Of course, this is somewhat worse than using LLL directly.) Note also that if y ^ Ok, then we can 
rescale y and / by a positive integer to reduce to the previous case. 

If the (2 + o(l))~ n2/2 could be improved to 2~ n y/\A K \, then we could solve the bounded- 
distance decoding problem up to half the minimal distance, by the same argument as above 
with Ai = • • • = A n = \A K \ ll{2n) N(I) l / n /2. This suggests that it will be difficult to remove the 
multiplicative factor entirely. 

6 Function Fields 

Much as number fields are finite extensions of Q, function fields are finite extensions of the field 
¥ q (x) of rational functions over a finite field ¥ q . They arise naturally from algebraic curves over 
F q , as the field of rational functions on the curve. For example, for a plane curve defined by the 
polynomial equation f(x,y) = 0, the function field will be ¥ q (x,y)/(f(x,y)) (i.e., rational functions 
of x and y, where the variables satisfy f(x,y) = 0). See [42] and [38] for background on function 
fields, and [30] for a beautiful account of the analogies between number fields and function fields. 

More generally, let X be an algebraic curve over ¥ q . Specifically, it must be a smooth, projective 
curve that remains irreducible over the algebraic closure of ¥ q . Our function field K will be the 
field of rational functions on X defined over ¥ q . (Note that we are assuming F g is the full field of 
constants in K; in other words, each element of K is either in ¥ q or transcendental over ¥ q .) 

Let Xi¥ q ) be the set of points on X with coordinates in ¥ q . Every point p £ X(¥ q ) gives a 
valuation v p on K, which measures the order of vanishing at that point. Poles are treated as zeros 
of negative order. The corresponding absolute value on K is defined by 

\f\ P = q- Vpif) . 

(Note that this is not the £ p norm on a vector; in this section, the t v norm will not be used.) In other 
words, high-order zeros make a function small, while poles make it larger. Not every absolute value 
on K is of this form — there is a slight generalization that corresponds to points defined over finite 
extensions of ¥ q (more precisely, Galois orbits of such points). For our purposes we can restrict our 
attention to the absolute values defined above, but in fact all our results generalize naturally to 
places of degree greater than 1. 
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In the number field case, the Archimedean absolute values (which come from the complex 
embeddings) play a special role, although there are infinitely many non- Archimedean absolute values 
as well, namely the p-adic absolute values measuring divisibility by primes. In the function field 
case, there are no Archimedean absolute values, and any set of absolute values can play the same 
role. 

Let S be a nonempty subset of X(¥ q ), and let Os be the subring of K consisting of all rational 
functions whose poles are confined to the set S. The ring Os is analogous to the ring of algebraic 
integers in a number field; in this analogy, the condition of having no poles outside S amounts to 
the condition that an algebraic integer has no primes in its denominator, because the valuations 
from points outside S correspond to the p-adic valuations. 

For example, if X is the projective line (i.e., the ordinary line completed with a point at infinity), 
then K is simply the field F g (z) of rational functions in one variable. If we let S = {00} be the set 
consisting solely of the point at infinity, then Os is the set of rational functions that have poles only 
at infinity. In other words, it is the polynomial ring F 9 [z]. (A polynomial of degree d has a pole of 
order d at infinity.) 

The norm of an element / 6 Os is defined by 

*(f) = U\f\p, 

p&s 

and the norm of a nonzero ideal I is defined by N(I) = \Os/I\- As in the number field case, the 
norm of the principal ideal fOg is N(f). 

6.1 Background on algebraic-geometric codes 

Algebraic-geometric codes are a natural generalization of Reed-Solomon codes. They are of great 
importance in coding theory, because for certain finite fields they beat the Gilbert- Varshamov bound 
(which is the performance of a random code, and which aside from algebraic-geometric codes is the 
best bound known). See Section 8.4 in [32] , 

To define an algebraic-geometric code on X, we specify for each point in S the maximum 
allowable order of a pole there (and we allow no poles outside of S). The space of functions satisfying 
these restrictions is a finite-dimensional Fq-vector space, and we can produce an error-correcting 
code by looking at the evaluations of these functions at a fixed set of points (disjoint from S). 

This is typically described using the language of algebraic geometry. A divisor D on X is a 
formal Z- linear combination of finitely many points on X; the support of D is the set of points 
with nonzero coefficients. (We will restrict our attention to divisors supported at points in X(¥ q ).) 
The divisor D is called effective, denoted D y 0, if all its coefficients are nonnegative. For every 
function / G K*, the principal divisor (/) is the sum of the zeros and poles of /, with their orders 
as coefficients. (The identically zero function does not define a principal divisor, since it has a zero 
of infinite order at every point.) The degree deg(D) of D to be the sum of its coefficients, and the 
degree of a principal divisor is always zero. 

Given a divisor D, the Riemann-Roch space C(D) is defined by 

C(D) = {0}U {/ £K* :{f) + D ^ 0}. 

In other words, if the coefficient of p in D is k, then / can have a pole of order at most k at the 
point p. The space C(D) is a finite-dimensional F^-vector space, and the famous Riemann-Roch 
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theorem describes its dimension: 



dim F? C{D) = deg(D) - g + 1 + dim Fg £{W - D), 

where g is a nonnegative integer called the genus of the curve and W is a particular divisor called the 
canonical divisor. It follows that dimF ? C(D) > deg(-D) — g+1, and equality holds if deg(-D) > 2g — 2. 

To translate the definition of an algebraic-geometric code to this language, let D be the divisor 
with support in S whose coefficients specify the allowed order of a pole at each point, and let 
pi, . . . ,p n be distinct points in X(¥ q ) but not in S. Then the corresponding algebraic-geometric 
code consists of the codewords (w(pi), . . . ,w(p n )) for w G £(D). 

In the case of the projective line, let S = {00} , so Os = ¥ q [z], and let D = doo. Then C(D) is 
the space of polynomials in ¥ q [z] of degree at most d. Thus, this construction yields Reed-Solomon 
codes special case. 



Theorem 1.4 corresponds to list decoding of algebraic-geometric codes in much the same way as 
Theorem 1.2 does for Reed-Solomon codes. The evaluation points p%, . . . ,p n correspond to prime 
ideals P\,. . . ,P n in Os, where Pi consists of the functions vanishing at pt, and we can let I be the 
product P\ . . . P n . If the received codeword is (yx, . . . , y n ) G F™, then we define the linear polynomial 
/ so that f(x) = x — yi (mod Pi) for all i. (The Chinese remainder theorem lets us solve this 
interpolation problem.) Thus, for w £ O5, f{w) is in the ideal P\ if and only if w(pi) = yi. We have 
N(I) = q 11 , and gcd(f(w)Os, I) is divisible by Pi exactly when w(pi) = yi. Therefore the inequality 

N(gcd(f(w)O s ,I))>N(lf 



simply means that w(pi) = yi for at least f3n values of i. Thus, Theorem 1.4 solves the list decoding 
problem. 



6.2 Proof of Theorem IP1 

As in the number field case, we would like to deal with lattices over a simpler ring than O5; there, 
we used the complex embeddings to construct a Z- module. Here, we will use FgfzJ-modules instead, 
but there is a key conceptual difference, because there are many embeddings of ¥ q [z] into O5 and 
we must choose the correct one, while there is only one embedding of Z into Ok- 

The property we would like z to have is that \z\ p should be independent of p, as long as p £ S. 
In that case, the absolute values | • \ p with p E S will all restrict to the same absolute value on the 
ring R = ¥ q [z] , which we will denote | • | . 

When \S\ = 1, we can choose any nonconstant element z of Os- When |5| > 1, it is not as 
trivial, but fortunately there is always such an element: 

Lemma 6.1. There exists an integer a > 1 and an element z G Os such that v p (z) = —a for all 
p G S, and we can find such an element in probabilistic polynomial time. 

Proof. Let A a be the divisor 

pes 

with coefficient a for each p G S, and let g be the genus of the curve X . If a,| 5*1 > 2g — 2, then by 
the Riemann-Roch theorem, 

dim ¥q C(A a ) = a\S\-(g-l). 
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Furthermore, if a\S\ > 2g — 1, then for each p E S, 



dim Fg £(A a -p) = a \S\- g. 

Thus, if |5| < q, then C(A a ) cannot be contained in the union of C{A a — p) over all p £ S, and 
therefore there exists a function with poles of order exactly a at each point in S. If \S\ < q/2, then 
it is easy to find such a function by random sampling, since at least half the elements in C(A a ) will 



work. (Recall that as mentioned in Section 1.4 we assume that we can efficiently compute bases of 
Riemann-Roch spaces.) 

This proof requires IS*! < q, but the same idea works if we pass to a finite extension ¥ q i of ¥ q , 
and it can handle \S\ < q l . Thus, if we take i large enough, there exists a function defined over 
¥ q i with poles of equal order a at the points in S (and no poles elsewhere). Now multiplying the i 
conjugates of this function over ¥ q produces such a function over ¥ q , as desired, with poles of order 
ai. Taking q % > 2\S\ gives an efficient algorithm as well. □ 

For the rest of this section, let z be such a function and let R = ¥ q [z] . Then the ring Os is a 
free i?-module of rank a\S\ by Theorem 1.4.11 in [42], as is every nonzero ideal in Os- 

As in the previous proofs, we will construct a polynomial Qix) in the O^-module M. generated 

by 

x 3 f(xYl k ~ l for < i < k and < j < d 

and 

x j f(x) k for < j < t. 

Let m = dk + t. 

The module A4 is a submodule of the Cg-module V of polynomials of degree less than m, which 
is a free O^-module of rank m and hence a free i?-module of rank malSI. Thus, as in the setting of 
Lemmas |2.2| and |2,3[ we are working with an i?-module contained in a free i?-module. 

We want Q{x) to have the property that for w G £-{D), 

N(Q(w)) < N{lf k . 

In fact, we will bound N(Q(w)) by 



N(Q(w)) = TT \Q(w)\ p < max \Q(w)\ p 
pes Vpe5 



and we will ensure that 

/ \\S\ 
UaxlQHU <N(lf k . 

Let qo, . . . , q m -i denote the coefficients of Q, so 

m— 1 



i=0 

Then 

\Q(w)\ p < max|<?j|p|u; 



p 
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Suppose the divisor D is given by 

D = ^^P- 

pes 

Then \w\ p < q Xp for w G £{D), and thus 

To emulate the analysis from Sections [3] and [4j we would like to find X G such that 
= — X p for all p £ S. However, such an element does not always exist. Instead, we will 
construct an element with the desired valuations at all but one point in S. This approach is a 
special case of the strong approximation theorem (Theorem 1.6.5 in [42J or Theorem 6.13 in |38j), 
but as we need only a weaker conclusion and must consider computational feasibility, we will give a 
direct proof. 

Lemma 6.2. Suppose q > 2\S\. Then for any point po G S and each divisor ^2 pe s f^pP satisfying 
X^peS f^p — and ^p = 0, there exists an element X G Os such that v p (X) = —pL p for all 
p G S \ {po}, and v Po (X) = —2g, where g is the genus of X . Furthermore, we can construct such an 
X in probabilistic polynomial time. 

Proof. Let A = X^eS 1 ^pP + ^gpo- Then deg(A) > 2g, and it follows from Riemann-Roch that 
dimp 9 £(A) = deg(A) — (g — 1) and that dimp^ £(A — p) = d\m.f q £(A) — 1 for all p G S. We are 
looking for an element X in £(A) but not C(A — p) for any p G S. By assumption we can construct 
these Riemann-Roch spaces, and because |<S| < q/2 at least half the elements of X will have the 
desired property, so we can find one by random sampling. □ 

The assumption that q > 2\S\ will hold in most applications: most algebraic-geometric codes 
use a small set S, and in fact |5| cannot be much larger than q because S C X(¥ q ) and | A^(Fg)| < 
q + 2g^/q + 1 (see Theorem 5.2.3 in [12]). However, if |5| > q/2, then we can simply pass to a finite 
extension of ¥ q . Thus, without loss of generality we can assume that q > 2\S\. 



By assumption in Theorem |1.4[ the support of D is a proper subset of S, so we can let po G S 
be a point such that A Po = 0. Because of the limitations of the strong approximation theorem, 
we require such a point to make the remainder of the proof work. This is not an obstacle to the 
applicability of the theorem, because algebraic-geometric codes will generally not use every point 
in X(¥ q ) for poles or evaluation points, and if they do we can pass to a finite extension of ¥ q to 
generate more points. Note also that we can assume deg(D) > 0, because otherwise C{D) is the 
empty set. 



Now, Lemma 6.2 lets us construct an element X G Os such that v p (X) = —X p for p G S \ {po}- 
This element has the property that v p {X l ) = —i\ p for p G S \ {po}. Unfortunately, the valuation 
at po grows linearly with i as well, and that will damage our bounds. However, we can avoid that 
problem by applying Lemma 6.2 to construct elements X{ so that v p (Xi) = —iX p for p G S \ {po} 



while maintaining v Po (X,j) = — 2g. Of course we set Xq = 1. 
In terms of the elements Xj, we have 

\Q(w)\ p < ma.x\qiXi\ p 

i 

for p G S \ {po}. Furthermore, this inequality holds for p = po because v po (w) > > v po (Xi). 
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Define the norm of a polynomial qx 8 G "P (with a G O5) by 



max max c 



pes 

Note that this defines a non- Archimedean norm on the free ii-module V satisfying all three properties 
required in Section 2.3 (with the absolute value | • | on R). Here, we crucially use the fact that we 
have only one absolute value on R; if that were not the case, then property 3 would fail. 

Let T : V — > V be the linear transformation that multiplies the degree % term by . Then 



max|Q(u;)L < max max | L = \TQ\. 

pes " pes i 



Thus, it will suffice to construct a nonzero polynomial Q G M such that \TQ\\ S \ <N(I) l3k . 

Now we can apply Lemma 2.3 We need to determine two things: the geometric mean C of the 
norms of an i?-basis of V and the dimension of the quotient V/TM. Then there exists a nonzero 
Q G M such that 

\TQ\ < C\z\ dimF i iV/ ™ )/{a ^ m) = C g di^(P/TX)/(|S|m) ) 

because these -R-modules have rank alSIm and \z\ = q a . 
Let 61, ... , 6 a |5| be any i?-basis of O5, and let 

a\ & I 



c= (n™ a 5 x i^if) 



Then the elements b{X 3 G P (with 1 < % < a\S\ and < j < m) form an i?-basis of V, and the 
geometric mean of their norms is C because \biX J \ is independent of the degree j. 

To compute the dimension of V /TAi, note that the generators of M are triangular (i.e., given 
by polynomials of each degree). Thus, we merely need to add the dimensions of the quotients of 
Os by the modules of leading coefficients. Prom the polynomials X^i+jX 3 j '(x) 1 I k ~ l ( we see that the 
leading coefficients form the ideal X ( a+jl k ~ t ■ Thus, 



m— 1 / \ m— 1 

g dim ¥q V/TM = \ VjTM \ = N{I) dk(k+l)/2 -Q N ( X J = N ^dk(k+l)/2 f "Q q X p m(m-l)/2 \ "Q |^. 

i=o ^-pes ' i=o 

Thus, 

q dim Fq V/TM < N ^dk(k+l)/2 q dcg(D)rn( m -l)/2 q 2mg_ 

Now applying Lemma |2.3| shows that we can find a nonzero polynomial Q G A4 such that 

|TQ| |,S| < Cq 2 ^ Ae ^ D){m ~ l)/2 N(I) dk{k+l) ^ 2m) . 
We want to achieve |TQ|I S I < N(lf k . Let JV(J) = q n and 

£ = deg(Z>) + -^-log ff (C7 9 2 *). 
m — 1 y 
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Then Lemma 



3.1 



applies, and shows that we can achieve |TQ|' S ' < N(I)@ k whenever I < 



n 



which is equivalent to 



(Cq 



2g\ 



7 deg(D) < N{1) ^ 



1.4 



We can take the denominator of /3 to be a divisor of n (because N(I) = q n ). Thus, Njl) 13 ' 2 ^ is an 
integral power of q l K Tl(1 -\ as of course is q de &( D \ and to prove the bound in Theorem 
to prove it to within a factor of less than g 1 /( na! ). 

Now let e < \/{2n 2 d) and m > 1 + 4nd(2g + log ? C). Then N(I) £ and (Cq 2 °) 
strictly less than gVO 2 0. Thus, our algorithm works as long as 

g de g (D) < N{ jf/d_ 



it suffices 



are both 



This completes the proof of Theorem 1.4 
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